|
Open-ended question: Let's say you want to detect, in real-time, whether some traffic (requests) on your site is generated by a bot. How would you detect if site traffic is a real human, or a bot? |
|
From Ajax Control Toolkit NoBot, here are some already-implemented techniques: *Forcing the client's browser to perform a configurable JavaScript calculation and verifying the result as part of the postback. (Ex: the calculation may be a simple numeric one, or may also involve the DOM for added assurance that a browser is involved) Enforcing a configurable delay between when a form is requested and when it can be posted back. (Ex: a human is unlikely to complete a form in less than two seconds) Enforcing a configurable limit to the number of acceptable requests per IP address per unit of time. (Ex: a human is unlikely to submit the same form more than five times in one minute)*
1
With modern browsers, its not uncommon for many requestions in a short time from a single user. As an example, I middle click (open in new tab) a lot of links in reddit, then go through them one by one. Also, forms with remembered data can be filled quickly (such as a form with a single error being resubmitted). My point isn't to ignore these tools, just don't use them blindly. Think about how it will impact legitimate users (False Positives) before you worry about impacting bots. The exception is when you are being overridden by spambots. Set all anti-spam levels to 10 and apologise to your users while you work it out.
(Sep 12 '10 at 22:00)
Robert Layton
|
